-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Leosi,
> For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius > 2.14, I wrote a simple how-to. > I hope it could help someone. :) > > > INSTALLATION PROCESS: FREERADIUS 2.14 (PEAP – MSCHAP) > > === > OS : > === > - Ubuntu Server 8.10 > > ====== > SWITCH: > ====== > - HP 2600 > > ========== > Pre-requires : > ========== > - Samba installed (or sudo apt-get install samba smbfs) > - Kerberos installed (or sudo apt-get install krb5-clients krb5-user) > > ============== > Table of contents : > ============== > *Setting Procurve HP Switch > *Installation of OpenSSL 0.9.8j > *Installation of Freeradius 2.14 > *Integrate the radius server to the domain > *Testing to join the AD domain > *Authenticate with NTLM using EAP – PEAP > *Configuring Freeradius > *Testing authentication process > *Starting freeradius into background mode > > ===================== > Setting Procurve HP Switch: > ===================== > ; J4900B Configuration Editor; Created on release #H.10.67 > hostname "SWiTCH" > no web-management > web-management ssl > no telnet-server > ip ssh > interface 1 > no lacp ; see [1] at the bottom of the page There's a bug in <= H.10.74 (fixed in H.10.76, not yet released) where the port-access authenticator won't be initialised properly until the interface is 'cycled' (disabled/enabled). This wasn't discovered before, because when the port-access authenticator is enabled, the switch automatically disables LACP (cycling the port in the process). It's therefore a good idea to leave LACP enabled on ports before you enable the port-access authenticator, and not to disable it explicitly, but let the switch take care of disabling it for you. > exit > [...] > interface 26 > no lacp > exit > vlan 1 > name "XXXX" > untagged 1-26 > exit > vlan 2 > name "YYYYY" > ip address 192.168.2.1 255.255.255.0 > ip helper-address 192.168.0.2 > exit > > aaa authentication port-access eap-radius > radius-server key testing123 > radius-server timeout 1 > radius-server dead-time 1 > radius-server host 172.28.32.16 > > aaa port-access authenticator 17-24 Use port ranges .... aaa port-access authenticator 17-24 auth-vid 2 aaa port-access authenticator 17-24 unauth-vid 3 I'd recommend against using an auth-vid, it's not necessary in this setup, and may add unnecessary delay between the client being authenticated, and traffic passing from the client onto the correct VLAN. I'd recommend you set a default PVID for the port instead 'VLAN x untagged 17-24'. > aaa port-access authenticator 17 auth-vid 2 > aaa port-access authenticator 17 unauth-vid 3 > [...] > aaa port-access authenticator 24 auth-vid 2 > aaa port-access authenticator 24 unauth-vid 3 > aaa port-access authenticator active > aaa port-access 17-24 > ip routing Why turn this on ? It's off by default and it's not required for 802.1x authentication. > gvrp Think what would happen if a GVRP enabled client connected to an 802.1x authenticated port... They could request *ANY* VLAN available on the switch. The 'auth-vid' and 'unauth-vid' features only control the PVID, they do not control statically or dynamically tagged VLANs configured for the port. If you want to explain how to use GVRP properly as part of dynamic VLAN assignment, then add the following: # Stops GVRP advertisements being forwarded to stations on the edge # and blocks ingress GVRP advertisements. int 17-24 unknown-vlan disable # Allows the switch to use GVRP VLANs in dynamic VLAN assignment aaa port-access gvrp-vlans GVRP is an incredibly useful protocol, but you need to know what you're doing, else it becomes a huge security hole. Would you like this in the wiki somewhere? If so email me directly and i'll create an account for you.. Thanks, Arran - -- Arran Cudbard-Bell ([email protected]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm2epQACgkQcaklux5oVKJhUwCeNI68rdSw4x0zD/ARB2gxlNbS yNcAn3B3Y648NG/8Z+iE8f66yJ04JtuP =SwCe -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
